Bank Not Responsible for Letting Hackers Steal $300K From Customer

By Kim Zetter June 7, 2011 | 8:09 pm | Categories: Breaches, Cybersecurity, Hacks and Cracks
A judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer’s online account isn’t responsible for the lost money, saying the customer should have done more to protect the account credentials.

Magistrate Judge John Rich sided with Ocean Bank in recommending that the U.S. District Court in Maine grant the bank’s motions for a summary dismissal of a complaint filed by Patco Construction Company. The ruling was reported Monday by BankInfoSecurity.

The case raises questions about how much security banks and other financial institutions may be reasonably required to provide commercial customers. It could set a precedent for liability in circumstances where customer systems are hacked and banking credentials are stolen. Small and medium-sized businesses around the United States have lost hundreds of millions of dollars in recent years to such activity, known as fraudulent ACH (Automated Clearing House) transfers.

Patco Construction Company, a family-owned business in Sanford Maine, sued Ocean Bank, which is owned by People’s United Bank, after discovering in May 2009 that hackers were siphoning about $100,000 per day from its online bank account. The hackers had sent a malicious e-mail to employees that allowed them to surreptitiously install the Zeus password-stealing trojan on an employee computer.

more
http://www.wired.com/threatlevel/2011/06/bank-ach-theft/

You no longer get a decent, if any, interest rate. You pay abysmal fees. And now the bank won't even take responsibility for implementing decent security measures.

with his face covered and a gun pointed at the teller, the bank is not responsible?

great

I agree that the bank could have done more to verify that the transfers were legitimate, but where does the account owners responsibility to maintain security start and where does the banks end? It's a collaborative effort and the account holders failed more than the bank.

Bank Not Responsible for Letting Hackers Steal $300K From Customer



Bank Not Responsible for Letting Hackers Steal $300K From Customer

Or is the company just $300 thousand poorer?

or not.

However, at some point I am no longer insurable.

Any transaction I make out of the company trust account greater than $5000 results in an immediate (2-5 minutes later) phone call from the bank, they froze the account all together when I tried to login from Singapore until they could verify it had been an authorized user logging in.

The plaintiff might be stupid, but the defendant is horribly negligent.

last year. My bank gave it back, but then again, I notified them in time, and it was a personal account. Small local bank.

Otoh, when I set up my online account with my CREDIT UNION, they had me ask about 6 different questions about myself (not my mother's maiden name which is every bit as accessible as all your other information) and then answer them. Every now and then, they pop one or two up just to make sure I am who I say I am.

Which is why I use a made up "mother's maiden name".
No law says it has to be the real one, no one cares, but a made up name is not automatically accessible.

I use the dog's name for a lot of things, too.

added:
but I do not do online banking, either. No way I trust our local small town bank to have a safe system.